Confusing PPPoE

O/S windows 7. Cis Connection is wired PPPoE without any router.

Problem-01: As Ethernet ip is x.x.x.x, Firewall global rule is set to “allow all outgoing from x.x.x.x to any and block all incoming to any”. Surprisingly enough, Firewall log shows that firefox is using y.y.y.y to successfully go out which is the PPP ip. How can that happen bypassing the global rule? Whats wrong?

Problem-02: Comodo continuously logs incoming connections where both sources and destinations are arbitrary other addresses different from the ppp or lan ip even when the connection is disconnected, mostly UDP. If the connection is disabled how those requests are reaching to comodo firewall? There is a continuous 2KB/ps download data flow all the time when the rj45 cable is plugged in, despite the fact that the connection is not dialed. Why that happens and how to keep them in control of Comodo firewall?

  1. Because its out going traffic, unless you have outgoing block rule you would get an alert depending on some other configuration settings. Firefox/Mozilla are also a trust program & vendor, so unless you run in custom policy mode you would not get a alert, the request would automatically be allowed.

  2. Hard to say without a posted log capture, but most likely their UDP broadcasts for Windows services such as LLMNR, UPNP/SSDP, etc.

Thank you for the reply. I mean where allowed network zone for outgoing in Global rule is a single ip x.x.x.x, how that rule is bypassed using ppp wan miniport ip y.y.y.y? Shouldn’t firewall block outgoing from y.y.y.y ? Problem is not firefox, I just used that to describe the problem. You are right in pointing out that firewall ruleset is set to custom and I have set that knowingly. The confusion is regarding x.x.x.x and y.y.y.y. How to bring all traffic from both of them under Comodo firewall’s control?

Secondly, When connection is not dialed, no network connection is active. Then how arbitrary incoming connections are reaching Comodo? This seems as Comodo guarding lan ip, it is blocking broadcast requests. But what about ppp port? Continuous 2KB/ps download data flow indicates either of the ports are getting data. Which one and why? Even when the connection is not dialed?

Can you please enlighten me a bit on how to set firewall rules that will cover any data from/to any port - ppp and ethernet? I set up rule set believing that as pppoE needs ethernet, it is only the ethernet IP that plays the role. But that is not the case.